Mobile Threat Blog

Share

mobiSage SDK creates iBackdoor

Researchers recently identified an Apple iOS Ad library (mobiSage SDK) that intentionally included backdoors allowing it to remotely control iOS devices from their ad servers. This code library includes the following risky behaviors: triggering audio recording, grabbing screenshots, reading passwords on the keychain, full access to files inside the app sandbox, or even “side-loading” apps on the iOS device. This is a traditional botnet design, with mobiSage’s ad servers being the C&C (Command and Control) center. This ability went undetected by Apple and has now been found in thousands of iOS Apps on the iTunes App Store.
Appthority’s mobile risk management service has been updated to identify the “mobiSage SDK” in our customers’ environments. This new threat behavior (“Uses mobiSage with Backdoor”) can be used within the Appthority portal to create a targeted App List that identifies apps and mobile devices in your enterprise environment that are infected with the mobiSage SDK. A search of our global app database found a significant number of iOS Apps infected (134 unique apps) and present on our enterprise customers’ mobile devices. The infection wasn’t limited to any region or industry segment, and was evenly distributed across most of our customers.

Recommendation

Currently there is no evidence that mobiSage has activated this backdoor in the wild, although this can change at anytime as iOS apps periodically “phone home” to the mobiSage ad servers for commands. There also exists the real possibility that should the mobiSage ad servers become compromised, it would allow bad actors to control thousands of iOS devices. For Appthority customers, we recommend taking immediate action using your portal to identify mobile devices and infected apps in your enterprise as well as taking steps to remove these apps from all devices as soon as possible. We’ve put together a guide that steps through this process for Appthority customers.

Keep in mind that even though Apple has removed most of these apps off the iTunes stores, they may still reside on mobile devices as “dead apps” and still need to go through the removal process. Appthority notifies customers impacted by mobiSage SDK so that these apps may be removed from managed devices.